PDA

View Full Version : Google redirection + Extremely low running of accounting software while connected



Robert Couture
2007-03-02, 01:45
In the last week more and more links that I clik is in Explorer are taken over by ??? and are redirected to different sites.

I ran Ad-aware - clean

I just download HiJackThis and run it here is the log file. Hope somebody could give me a hand.

Logfile of HijackThis v1.99.1
Scan saved at 6:24:04 PM, on 3/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Microsoft Firewall Client 2004\FwcAgent.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\iGrafx\MailCentral\MailCentral.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\Program Files\NewsStand\Reader\ADLSched.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft Firewall Client 2004\FwcMgmt.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = cpt109:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: NewsStand Toolbar - {6E94ACD5-2C6A-48AC-84EF-A4DE746D385F} - C:\Program Files\NewsStand\Reader\NSIETool.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -masquer
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKCU\..\Run: [NewsStand.Scheduler] "C:\Program Files\NewsStand\Reader\ADLSched.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Firewall Client Connectivity Monitor.LNK = C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Firewall Client Management.lnk = ?
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\microsoft firewall client 2004\fwcwsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\microsoft firewall client 2004\fwcwsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\microsoft firewall client 2004\fwcwsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\microsoft firewall client 2004\fwcwsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\microsoft firewall client 2004\fwcwsp.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = magrit.int
O17 - HKLM\Software\..\Telephony: DomainName = magrit.int
O17 - HKLM\System\CCS\Services\Tcpip\..\{0480F845-A92D-4DFB-B0BE-D01F5057FA14}: NameServer = 85.255.114.11,85.255.112.234
O17 - HKLM\System\CCS\Services\Tcpip\..\{379C2B8C-DB77-411C-A3F9-46FDF68D2DDD}: NameServer = 85.255.114.11,85.255.112.234
O17 - HKLM\System\CCS\Services\Tcpip\..\{37C39218-1FEB-44B8-B86C-10A97D3A9906}: NameServer = 85.255.114.11,85.255.112.234
O17 - HKLM\System\CCS\Services\Tcpip\..\{75842338-C1D7-4807-A213-A0BF5D46EF77}: NameServer = 85.255.114.11,85.255.112.234
O17 - HKLM\System\CCS\Services\Tcpip\..\{85BC03D3-6016-4410-ABE5-CA0236E973B3}: NameServer = 85.255.114.11,85.255.112.234
O17 - HKLM\System\CCS\Services\Tcpip\..\{93526947-A358-4A53-8DE2-5BFA7B865A16}: NameServer = 85.255.114.11,85.255.112.234
O17 - HKLM\System\CCS\Services\Tcpip\..\{F16D3F46-103C-47D9-B903-E5152E4DDB50}: NameServer = 85.255.114.11,85.255.112.234
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = magrit.int
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.11 85.255.112.234
O17 - HKLM\System\CS1\Services\Tcpip\..\{0480F845-A92D-4DFB-B0BE-D01F5057FA14}: NameServer = 85.255.114.11,85.255.112.234
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.11 85.255.112.234
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHIE~1\Skype\SKYPE4~1.DLL
O18 - Protocol: x-excid - {9D6CC632-1337-4A33-9214-2DA092E776F4} - c:\WINDOWS\Downloaded Program Files\mimectl.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\PROGRA~1\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MailCentral - Corel - C:\Program Files\iGrafx\MailCentral\MailCentral.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

pskelley
2007-03-02, 14:51
Welcome to the forum, please follow the directions carefully.

1) Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.
Open Windows Defender, Click on Tools, General Settings.
Scroll down and uncheck Turn on real-time protection (recommended).
After you uncheck this, click on the Save button and close Windows Defender.
After all of the fixes are complete it is very important that you enable Real-time Protection again.

2) Thanks to LonnyBJones and anyone else who helped with this fix.

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
You will be asked to reboot your computer; please do so.
Your system may take longer than usual to load; this is normal.
Once the desktop loads post the text that will open (report.txt) and a new Hijackthis log in the forum please.

(please hold those reports until we finish)

3) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O17 - HKLM\System\CCS\Services\Tcpip\..\{0480F845-A92D-4DFB-B0BE-D01F5057FA14}: NameServer = 85.255.114.11,85.255.112.234
O17 - HKLM\System\CCS\Services\Tcpip\..\{379C2B8C-DB77-411C-A3F9-46FDF68D2DDD}: NameServer = 85.255.114.11,85.255.112.234
O17 - HKLM\System\CCS\Services\Tcpip\..\{37C39218-1FEB-44B8-B86C-10A97D3A9906}: NameServer = 85.255.114.11,85.255.112.234
O17 - HKLM\System\CCS\Services\Tcpip\..\{75842338-C1D7-4807-A213-A0BF5D46EF77}: NameServer = 85.255.114.11,85.255.112.234
O17 - HKLM\System\CCS\Services\Tcpip\..\{85BC03D3-6016-4410-ABE5-CA0236E973B3}: NameServer = 85.255.114.11,85.255.112.234
O17 - HKLM\System\CCS\Services\Tcpip\..\{93526947-A358-4A53-8DE2-5BFA7B865A16}: NameServer = 85.255.114.11,85.255.112.234
O17 - HKLM\System\CCS\Services\Tcpip\..\{F16D3F46-103C-47D9-B903-E5152E4DDB50}: NameServer = 85.255.114.11,85.255.112.234
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.11 85.255.112.234
O17 - HKLM\System\CS1\Services\Tcpip\..\{0480F845-A92D-4DFB-B0BE-D01F5057FA14}: NameServer = 85.255.114.11,85.255.112.234
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.11 85.255.112.234

Close all programs but HJT and all browser windows, then click on "Fix Checked"

5) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart the computer and post the report from Fixwareout, a new HJT log and any comments you think will help.

Thanks

Robert Couture
2007-03-02, 16:55
First thanks for the speedy reply and the clarity of the procedure.

I did follow all the steps and I am posting the two outputs requested.

HijackThis File

Logfile of HijackThis v1.99.1
Scan saved at 9:43:48 AM, on 3/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Microsoft Firewall Client 2004\FwcAgent.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\iGrafx\MailCentral\MailCentral.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe
C:\Program Files\Apoint\Apntex.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\Program Files\NewsStand\Reader\ADLSched.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft Firewall Client 2004\FwcMgmt.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = cpt109:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: NewsStand Toolbar - {6E94ACD5-2C6A-48AC-84EF-A4DE746D385F} - C:\Program Files\NewsStand\Reader\NSIETool.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -masquer
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKCU\..\Run: [NewsStand.Scheduler] "C:\Program Files\NewsStand\Reader\ADLSched.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Firewall Client Connectivity Monitor.LNK = C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Firewall Client Management.lnk = ?
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\microsoft firewall client 2004\fwcwsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\microsoft firewall client 2004\fwcwsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\microsoft firewall client 2004\fwcwsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\microsoft firewall client 2004\fwcwsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\microsoft firewall client 2004\fwcwsp.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = magrit.int
O17 - HKLM\Software\..\Telephony: DomainName = magrit.int
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = magrit.int
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHIE~1\Skype\SKYPE4~1.DLL
O18 - Protocol: x-excid - {9D6CC632-1337-4A33-9214-2DA092E776F4} - c:\WINDOWS\Downloaded Program Files\mimectl.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\PROGRA~1\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MailCentral - Corel - C:\Program Files\iGrafx\MailCentral\MailCentral.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe


Fixwareout report :


»»»»» Postrun check
....
....
»»»»» Misc files.
....
»»»»» Checking for older varients.
....

Search five digit cs, dm, kd, jb, other, files.
The following files NEED TO BE SUBMITTED to one of the following URL'S for further inspection.

'VFIND.exe' n'est pas reconnu en tant que commande interne
ou externe, un programme ex‚cutable ou un fichier de commandes.
'VFIND.exe' n'est pas reconnu en tant que commande interne
ou externe, un programme ex‚cutable ou un fichier de commandes.
'VFIND.exe' n'est pas reconnu en tant que commande interne
ou externe, un programme ex‚cutable ou un fichier de commandes.
Le fichier sp‚cifi‚ est introuvable.


Click browse, find the file then click submit.
http://www.virustotal.com/flash/index_en.html
Or http://virusscan.jotti.org/

»»»»» Other



»»»»» Current runs
....
Hosts file was reset, If you use a custom hosts file please replace it

Rustock pe386 is present

Rustock msguard is present

Rustock lzx32 is present

Rustock huy32 is present
»»»»» End report »»»»»

»»»»» Postrun check
....
....
»»»»» Misc files.
....
»»»»» Checking for older varients.
....

Search five digit cs, dm, kd, jb, other, files.
The following files NEED TO BE SUBMITTED to one of the following URL'S for further inspection.

'VFIND.exe' n'est pas reconnu en tant que commande interne
ou externe, un programme ex‚cutable ou un fichier de commandes.
'VFIND.exe' n'est pas reconnu en tant que commande interne
ou externe, un programme ex‚cutable ou un fichier de commandes.
'VFIND.exe' n'est pas reconnu en tant que commande interne
ou externe, un programme ex‚cutable ou un fichier de commandes.
Le fichier sp‚cifi‚ est introuvable.


Click browse, find the file then click submit.
http://www.virustotal.com/flash/index_en.html
Or http://virusscan.jotti.org/

»»»»» Other



»»»»» Current runs
....
Hosts file was reset, If you use a custom hosts file please replace it

Rustock pe386 is present

Rustock msguard is present

Rustock lzx32 is present

Rustock huy32 is present
»»»»» End report »»»»»

As far as comments requested - I understand the gist of what we are doing, but without and in depth comprehension then ...

Robert Couture
2007-03-02, 17:12
Hello again,

When I read the fixwareout report, should I undertand that fixwareout uses a file name vfind.exe to locate some undesirable files on my system ? If yes you will notice that my systeme does not recognise vfind.exe as a valid file. Should I try to locate it, copy it to my system and rerun fixwareout ?

pskelley
2007-03-02, 17:16
Thanks Robert for returning your information. These are the folks who are at least partly responsible for this:
http://whois.domaintools.com/85.255.114.11
In this case rootkit infections were sent along with the rest of the junk to make it even harder to remove:

Rustock pe386 is present
Rustock msguard is present
Rustock lzx32 is present
Rustock huy32 is present

also my French is nonexistant so we need to find out what this is: VFIND.exe.
Unless you know, enable hidden files and folders and scan for the file, then use one or more of these free online scanners to find out what it is:
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/flash/index_en.html
Post that information for me to view

Have not tried to remove all of these items at once, let's give it a try like this:

Download: http://www.uploads.ejvindh.net/rustbfix.exe
...and save it to your desktop.
Double click on rustbfix.exe to run the tool. If a Rustock.b-infection is found,
you will shortly hereafter be asked to reboot the computer. The reboot will probably take quite a while,
and perhaps 2 reboots will be needed. But this will happen automatically. After the reboot 2 logfiles will open (%root%\avenger.txt & %root%\rustbfix\pelog.txt).
Post the content of these logfiles along with a new HijackThis log.

Thanks

I did not see your post until after I posted. If, after you read the instructions, you still have questions, post them or send a PM.

Thanks...Phil

Robert Couture
2007-03-02, 17:55
Hello Phil,

Should I understand that vfind.exe is not part of Fixwareout.exe program ?

As far as the french is concerned, it only says, that vfind.exe is not an internal or external command, neither an executable or a command file. The following sentence says "the file specified cannot be found".

I will wait for your answer to go ahead with the rest of the procedure.

Thanks for leading me through this, highly appreciated

Robert

Robert Couture
2007-03-02, 18:13
Found the file, seems to be part of the fixwareout files; it is located in:

C:\fixwareout\FindT

I ran rustbfix - report says :

************************* Rustock.b-fix -- By ejvindh *************************
Fri 03/02/2007 11:04:24.23

No Rustock.b-rootkits found

******************************* End of Logfile ********************************

pskelley
2007-03-02, 18:56
There should be more information in that report, see this:

After the reboot 2 logfiles will open (%root%\avenger.txt & %root%\rustbfix\pelog.txt).
Post the content of these logfiles along with a new HijackThis log.Take a look for the folder and see if you can locate the information. Should be on the Desktop?

and what about the VFIND.exe, what did you find out about it?

Thanks

Robert Couture
2007-03-02, 20:46
> There should be more information in that report, see this:

As the program does not find any problems, it does not ask me to reboot, see report.

> and what about the VFIND.exe, what did you find out about it?

As I said, it is in a subdirectory of fixwareout C:\fixwareout\FindT

Thanks[/QUOTE]

pskelley
2007-03-02, 20:53
How is the computer running? I am not 100% sure all of the junk is gone, please follow these directions to run Blacklight unless you are satisfied you have no problems.

Please download F-Secure BlackLight Beta:
https://europe.f-secure.com/exclude/blacklight/index.shtml

Save it to its own folder in the Desktop
Double-click blbeta.exe to run the program
Click : Scan
A list of all items found is created

The list is in the BlackLight folder on the Desktop, and named fsbl.xxxxxxx.log (xxxxxxx are numbers).

Please provide the log created by BlackLight in your next reply.

Thanks

Robert Couture
2007-03-02, 22:15
Hello again Phil,

Content of the log :

03/02/07 14:54:13 [Info]: BlackLight Engine 1.0.55 initialized
03/02/07 14:54:13 [Info]: OS: 5.1 build 2600 (Service Pack 2)
03/02/07 14:54:13 [Note]: 7019 4
03/02/07 14:54:13 [Note]: 7005 0
03/02/07 14:54:22 [Note]: 7006 0
03/02/07 14:54:22 [Note]: 7011 3756
03/02/07 14:54:22 [Note]: 7026 0
03/02/07 14:54:23 [Note]: 7026 0
03/02/07 14:54:39 [Note]: FSRAW library version 1.7.1021
03/02/07 15:05:39 [Note]: 2000 1012
03/02/07 15:05:40 [Note]: 2000 1012

In blackLight itself

Hidden items found 0
Items queued for renaming 0

I have been using my computer all day, no redirection encountered + accounting software running OK. Can we conclude that we have solve the problem ?

pskelley
2007-03-02, 22:46
Hi Robert, those Ukrainians are sneaky but it looks like we killed the infection. Blacklight is of course clean. I will post one more rootkit scanner and you may use it if you wish. I will also post closing instructions. Post in 48 hours to let me know all is well and I will close your topic. You may remove the tools we downloaded from your computer, the one exception being ATF-Cleaner. That is a nice little tool and you may keep it if you wish.

1) Optional rootkit scan: * Click here to download AVG Anti Rootkit and save it to your desktop.
http://beta.grisoft.cz/beta/betarep.files/antirootkit/AVG_AntiRootkit_1.0.0.13.exe
Double-click on the AVG_AntiRootkit_1.0.0.13.exe file to run it.
Click "I Agree" to agree to the EULA.
By default it will install to "G:\Program Files\GRISOFT\AVG Anti-Rootkit Beta".
Click "Next" to begin the installation then click "Install".
It will then ask you to reboot now to finish the installation.
Click "Finish" and your computer will reboot.
After it reboots, double-click on the AVG Anti-Rootkit Beta shortcut that is now on your desktop.
Click on the "Perform in-depth search" button to begin the scan.
The scan will take a while so be patient and let it complete.
When the scan is finished, click the "Save result to file" button.
Save the scan results to your desktop then come back here to copy and paste the results in your next reply to this thread.

2) System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam

Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

Robert Couture
2007-03-03, 01:25
Humble greetings to men of knowledge

I raise my hat to you and to your collegues pskelley - No rootkit found -

If I may intrude on your time a bit more, can you explain what is the rationale behind these spyware - what can these ukrainians or any other person gain from the implementation of these spyware on our computers ? If I can find this answer somewhere just tell me where.

I will be sendig a donation to the site tomorrow morning.

Robert

pskelley
2007-03-03, 01:55
Thanks Robert, we do all we can. I also have to tell you that this is all albout the money: http://www.pcmech.com/show/kudos/905/
http://www.google.com/search?hl=en&q=malware+and+money&btnG=Google+Search

Here is one place where your voice can be heard if you would like:
http://www.malwarecomplaints.info/

Thanks for the donation, we are an all volunteer staff but I am sure there are considerable expenses in keeping a forum like this up and running.
One of our main forums and the source of much of the information we rely on in this fight recently was attacked by these hackers, and there is a very good chance the attack originated in the old Soviet Union. Here is some information:
http://www.google.com/search?hl=en&q=castlecops+ddos+attack

Safe surfing...Phil:)

pskelley
2007-03-05, 13:33
As the problem appears to be resolved this topic has been closed.

If you need it re-opened please send me or a forum staff member a private message (pm) and provide a link to the thread; this applies only to the original topic starter.

Anyone else with similar problems please start a new topic.

Thanka